Utilities
- busybox: Software that provides several stripped-down Unix tools in a single executable file. Of course, it will be necessary to use a "production" version of busybox in order to avoid all the tools useful only in development mode.
| Domain | Tool name |
State |
|---|---|---|
| Platform-Utilities-1 | busybox |
Used to provide a number of tools. Do not compile development tools. |
Functionalities to exclude in production mode
In production mode, a number of tools must be disabled to prevent an attacker from finding logs for example. This is useful to limit the visible surface and thus complicate the fault finding process. The tools used only in development mode are marked by an 'agl-devel' feature. When building in production mode, these tools will not be compiled.
| Domain | Utility name and normal path |
State |
|---|---|---|
| Platform-Utilities-1 | chgrp in /bin/chgrp |
Disabled |
| Platform-Utilities-2 | chmod in /bin/chmod |
Disabled |
| Platform-Utilities-3 | chown in /bin/chown |
Disabled |
| Platform-Utilities-4 | dmesg in /bin/dmesg |
Disabled |
| Platform-Utilities-5 | Dnsdomainname in /bin/dnsdomainname |
Disabled |
| Platform-Utilities-6 | dropbear, Remove "dropbear" from /etc/init.d/rcs |
Disabled |
| Platform-Utilities-7 | Editors in (vi) /bin/vi |
Disabled |
| Platform-Utilities-8 | find in /bin/find |
Disabled |
| Platform-Utilities-9 | gdbserver in /bin/gdbserver |
Disabled |
| Platform-Utilities-10 | hexdump in /bin/hexdump |
Disabled |
| Platform-Utilities-11 | hostname in /bin/hostname |
Disabled |
| Platform-Utilities-12 | install in /bin/install |
Disabled |
| Platform-Utilities-13 | iostat in /bin/iostat |
Disabled |
| Platform-Utilities-14 | killall in /bin/killall |
Disabled |
| Platform-Utilities-15 | klogd in /sbin/klogd |
Disabled |
| Platform-Utilities-16 | logger in /bin/logger |
Disabled |
| Platform-Utilities-17 | lsmod in /sbin/lsmod |
Disabled |
| Platform-Utilities-18 | pmap in /bin/pmap |
Disabled |
| Platform-Utilities-19 | ps in /bin/ps |
Disabled |
| Platform-Utilities-20 | ps in /bin/ps |
Disabled |
| Platform-Utilities-21 | rpm in /bin/rpm |
Disabled |
| Platform-Utilities-22 | SSH |
Disabled |
| Platform-Utilities-23 | stbhotplug in /sbin/stbhotplug |
Disabled |
| Platform-Utilities-24 | strace in /bin/trace |
Disabled |
| Platform-Utilities-25 | su in /bin/su |
Disabled |
| Platform-Utilities-26 | syslogd in (logger) /bin/logger |
Disabled |
| Platform-Utilities-27 | top in /bin/top |
Disabled |
| Platform-Utilities-28 | UART in /proc/tty/driver/ |
Disabled |
| Platform-Utilities-29 | which in /bin/which |
Disabled |
| Platform-Utilities-30 | who and whoami in /bin/whoami |
Disabled |
| Platform-Utilities-31 | awk (busybox) |
Enabled |
| Platform-Utilities-32 | cut (busybox) |
Enabled |
| Platform-Utilities-33 | df (busybox) |
Enabled |
| Platform-Utilities-34 | echo (busybox) |
Enabled |
| Platform-Utilities-35 | fdisk (busybox) |
Enabled |
| Platform-Utilities-36 | grep (busybox) |
Enabled |
| Platform-Utilities-37 | mkdir (busybox) |
Enabled |
| Platform-Utilities-38 | mount (vfat) (busybox) |
Enabled |
| Platform-Utilities-39 | printf (busybox) |
Enabled |
| Platform-Utilities-40 | sed in /bin/sed (busybox) |
Enabled |
| Platform-Utilities-41 | tail (busybox) |
Enabled |
| Platform-Utilities-42 | tee (busybox) |
Enabled |
| Platform-Utilities-43 | test (busybox) |
Enabled |
The Enabled Unix/Linux utilities above shall be permitted as they are often used in the start-up scripts and for USB logging. If any of these utilities are not required by the device then those should be removed.